Upload
john-gilligan
View
231
Download
0
Embed Size (px)
Citation preview
May 18, 2016
John M. Gilligan
Is Cyber Resilience Really That Difficult?
6th Cyber Resiliency Workshop
Cyber Resilience: A Personal Journey
• The Early Days
• Chasing the Dream
• The Dark Ages of Cybersecurity
• Dawn of the Internet
• The “Cat is Out of the Bag”
• Everyone’s Challenge
2
Personal Conclusions
• Achieving original dream of resilience is a (very) long term objective
• Cyber resiliency is a complex, system of systems engineering challenge
• Cyber risk management requires knowledge most organizations do not possess
• Market forces are not well aligned to achieve resiliency
• Weak focus by IT development and operations communities hampers progress toward resilience
3
A Useful Framework For Addressing Cyber Resilience
Sophisticated
Unsophisticated
Low High MISSION/FUNCTION CRITICALITY
THREAT
4
A Top Level Resilience Strategy
Accept Risk
(Low Risk)
Deploy Targeted Advanced Security Controls/Methods
Implement Comprehensive Baseline of Security
Controls (“Good Hygiene”)
Low High
MISSION/FUNCTION CRITICALITY
Sophisticated
Unsophisticated
THREAT
5
Implementing Resilience
Step 2: Expand control coverage/augment methods to address sophisticated threats and reduce risk footprint as appropriate
Deploy Targeted Advanced Security Controls/Methods
Implement Comprehensive Baseline of Security
Controls
Step 1: Build CSS Baseline
High Low MISSION/FUNCTION
CRITICALITY
Sophisticated
Unsophisticated
THREAT
6
Accept Risk
Comprehensive Baseline of Security Controls (CIS Critical Security Controls – Version 6)
Basic Hygiene: 80+% of Threats!*
8 * Australian Signals Directorate Study
Cybersecurity Resiliency Framework: Economic Considerations*
Sophisticated
Unsophisticated
MISSION/FUNCTION CRITICALITY
Investment in Cyber Operations and Security (High Return for Modest or No Investment)
THREAT
Low High
Targeted Investment
(Careful Risk-Return Analysis)
No Investment
*See also “The Economics of Cyber Security: Part I and Part II”, AFCEA Cyber Committee, October 2013 and April 2014. 9
Cybersecurity Resilience Maturity Framework* Maturity
Level Employment of Security
Controls
Security Tailored to Mission
Participate in Information Sharing (threat/vul)
Response to Cyber Threats
Resilience to Cyber Attack s
Level 5: Resilient Augment CSC Based on Mission
Mission Assurance Focused
Real Time Response to Inputs
Anticipate Threats
Operate Through Sophisticated Attack
Level 4: Dynamic Augment CSC Based on Mission
Mission Focused Real Time Response to Inputs
Rapid Reaction To Threats
Able to respond to Sophisticated Attack
Level 3: Managed CSC Integrated and Continuously
Monitored
Partially Mission Focused
Respond to Information Inputs
Respond to Attacks After the Fact
Protection against Unsophisticated Attack
Level 2: Performed
Foundational/ Critical Security Controls (CSC) Implemented
Mission Agnostic Inconsistent Response to Information Inputs
Respond to Attacks After the Fact
Some Protection Against Unsophisticated Attacks
Level 1: No Resilience
Inconsistent Deployment of
Security Controls
None None
Step 1: Implement CSC Baseline
Step 2: Address Sophisticated Attacks
Most Organizations
Today
*Reference Robert Lentz “Cyber Security Maturity Model”, Presentation 2011
10
Characteristics • Security controls are implemented in an ad hoc or fragmented manner • Response to threats/attacks is as a result of outside stimulus (e.g., CERT notification of successful attack) • Intermittent participation in sharing of threat and vulnerability information • No discrimination of protection among missions • Unsophisticated attacks have high probability of success
Maturity Level
Employment of Security
Controls
Mission Tailoring
Information Sharing
(threat/vul.)
Threat Response
Cyber Attack Response
Level 1: No Resilience
Inconsistent Deployment of
Security Controls
None None No Response Susceptible to Unsophisticated
Attacks
Level 1: No Resilience
11
Maturity Level
Employment of Security
Controls
Mission Tailoring
Information Sharing
(threat/vul.)
Threat Response
Cyber Attack Response
Level 2: Performed
Foundational/ Critical Security Controls (CSC) Implemented
Mission Agnostic
Inconsistent Response to Information
Inputs
Respond to Attacks After the
Fact
Some Protection Against
Unsophisticated Attacks
Characteristics • Critical Security Controls implemented across the organization but in a delegated or fragmented approach
• Organization implements critical security controls although implementation is “tailored” by sub organizations and/or implementation of critical controls is incomplete
• Mission Agnostic • All missions are protected equally
• Inconsistent Response to Information Inputs • Inconsistent or periodic engagement and response to malware/CERT community updates on threats/vulnerabilities
• Respond to Attacks (after the fact) • Organizations deploy countermeasures as they are available and they have the opportunity to respond
• Some protection against unsophisticated attack • Critical Security Controls that are implemented will be effective against most unsophisticated attacks • Overlapping and inconsistent implementation of critical security controls leave protection “gaps” that could be
exploited by relatively unsophisticated attacks
Level 2: Performed
12
Maturity Level
Employment of Security
Controls
Mission Tailoring
Information Sharing
(threat/vul.)
Threat Response
Cyber Attack Response
Level 3: Managed
CSC Integrated and Continuously
Monitored
Partially Mission Focused
Respond to Information
Inputs
Respond to Attacks After
the Fact
Protection against
Unsophisticated Attack
Characteristics • Critical Security Controls integrated across enterprise with continuous monitoring
• Risk evaluation focused on priority missions matched against past and emerging threats guides risk-benefit decision regarding fielding controls to augment foundation/critical controls
• Partially Mission Focused • Clear understanding of mission critical information and systems • Protection focused on most critical mission capabilities
• Respond to Information Inputs • Cooperation with larger malware/CERT community for updates on threats/vulnerabilities
• Respond to Attacks (after the fact) • Deploy countermeasures as they are available
• Protection against unsophisticated attack • Critical Security Controls will be effective against 80+% of attacks • Continuous monitoring and threat/vulnerability information sharing will provide ability to respond to some
sophisticated attacks
Level 3: Managed
13
Maturity Level
Employment of Security
Controls
Mission Tailoring
Information Sharing
(threat/vul.)
Threat Response
Cyber Attack Response
Level 4: Dynamic
Augment CSC Based on Mission
Mission Focused
Real Time Response to
Inputs
Rapid Reaction To Threats
Respond to Sophisticated
Attack
Characteristics • Augment Critical Security Controls based on Mission
• Risk evaluation focused on priority missions matched against past and emerging threats guides risk-benefit decision regarding fielding controls to augment foundation/critical controls
• Mission Focused • Analysis of spectrum of mission and information criticality results in agreement of priorities for cyber protection/restoral • The architecture of the organization implements boundaries between
• Real Time Response to Inputs • Cyber intelligence program (Multiple Sources, Disciplined Indications and Warning, Good understanding of sector-
specific threats) • Incident response baked into defensive posture
• Rapid Reaction To Threats • Cooperation with larger malware/CERT community • Deploy countermeasures as they are available
• Respond to sophisticated attack • After recognizing attack, assess impact and implement response (e.g., disconnect/shut down system, block attack, etc.) • Ability to respond to most sophisticated attacks
Level 4: Dynamic
14
Level 5: Resilient Maturity
Level Employment of Security
Controls
Mission Tailoring
Information Sharing
(threat/vul.)
Threat Response
Cyber Attack Response
Level 5: Resilient
Augment CSC Based on Mission
Mission Assurance Focused
Real Time Response to
Inputs
Anticipate Threats
Operate Through Sophisticated
Attack
Characteristics • Augment Critical Security Controls based on Mission
• Risk evaluation focused on priority missions matched against past and emerging threats guides risk-benefit decision regarding fielding controls to augment foundation/critical controls
• Mission Assurance Focused • Analysis of spectrum of mission and information criticality results in agreement of priorities for protection and how to
assure continued operation in the face of cyber attacks • Real Time Response to Inputs
• Cyber intelligence program (Multiple Sources: Both classified and unclassified, Disciplined Indications and Warning, Good understanding of sector-specific threats)
• Cyber Operators and Development team working together (also relevant to operating through attacks) • Incident response baked into defensive posture
• Anticipate Threats • Malware/Attack Pattern Analysis Program with large repository of samples from which to extract unique signatures
(potential use of Honeypots to gain attack insights) • Cooperation with larger malware/CERT community
• Operate through sophisticated attack • Workforce culture of “cyber warfare” ensures real time response to attacks and preservation of priority missions
during attack by a “nation state” class of threat 15
Cybersecurity Resilience Maturity Framework Maturity
Descriptor Employment of Security
Controls
Security Tailored to
Mission
Participate in Information
Sharing (threat/vul.)
Response to Cyber Threats
Resilience to Cyber Attacks
Level 5: Resilient Augment CSC Based on Mission
Mission Assurance Focused
Real Time Response to
Inputs
Anticipate Threats
Operate Through Sophisticated Attack
Level 4: Dynamic Augment CSC Based on Mission
Mission Focused Real Time Response to
Inputs
Rapid Reaction To Threats
Able to respond to Sophisticated Attack
Level 3: Managed CSC Integrated and Continuously
Monitored
Partially Mission Focused
Respond to Information
Inputs
Respond to Attacks After
the Fact
Protection against Unsophisticated
Attack
Level 2: Performed
Foundational/ Critical Security Controls (CSC) Implemented
Mission Agnostic Inconsistent Response to Information
Inputs
Respond to Attacks After
the Fact
Some Protection Against
Unsophisticated Attacks
Level 1: No Resilience
Inconsistent Deployment of
Security Controls
None None No Response Susceptible to Unsophisticated
Attacks
Step 1: Implement CSC Baseline
Step 2: Address Sophisticated Attacks
16
Summary
• Achieving high resilience is possible today
• High levels of resilience can be achieved without additional cost
• Resilience must be a structured journey, not a random walk
• Fundamental improvements in resiliency of HW and SW necessary to get ahead of sophisticated attacks
17
Contact Information
John M. Gilligan Center for Internet Security (CIS)
703-503-3232
518-266-3460
18